Refresh of LDAP groups is failing

Document ID : KB000004928
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

When I select the refresh LDAP button in Users:Manage Groups, the synchronization fails by showing

Message error 2011 (user is not updated)

or  that a user was moved to another user. 

 

This is failing for users that start with the same name before a comma in the Distinguished Name in the AD, for e.g.:

CN=Smith\, John,OU=Users,DC=ca,DC=com

CN=Smith\, Michael,OU=Users,DC=ca,DC=com

 

If these users are already imported upon refresh in PAM the update failure error is seen.

This is causing that some users that are member of a group in AD are not imported in PAM.

Following the example, 

If user CN=Smith\, John,OU=Users,DC=ca,DC=com is member of CN=Windows Admin,OU=Users,DC=ca,DC=com and  user CN=Smith\, Michael,OU=Users,DC=ca,DC=com is member of CN=Linux Admin,OU=Users,DC=ca,DC=com.

If I select to refresh the LDAP in PAM, then probably the system might delete or add a user for eg the user CN=Smith\, John,OU=Users,DC=ca,DC=com to the group CN=Linux Admin,OU=Users,DC=ca,DC=com in PAM and remove it from CN=Windows Admin,OU=Users,DC=ca,DC=com.

However if I check on the AD, the users are in the expected groups.

Environment:
It has been detected in Release 2.7 and 2.8
Cause:

Issue is appearing for users with commas in the CN name while the accounts are similar.

Resolution: